Skip to main content

Symfony UX LiveComponent CVE-2026-49215

LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-19 https://github.com/symfony/ux

Severity by source

vuln.today AI
4.3 MEDIUM

Network-delivered CSRF requiring active victim interaction (UI:R, PR:N); integrity-only impact since LiveActions mutate state without inherent data exfiltration.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 19, 2026 - 21:45 vuln.today
Analysis Generated
Jun 19, 2026 - 21:45 vuln.today

DescriptionCVE.org

Description

When using symfony/ux-live-component, methods annotated with #[LiveAction] are invokable from the browser and mutate server-side state via AJAX. Symfony\UX\LiveComponent\EventListener\LiveComponentSubscriber::isLiveComponentRequest() gated these invocations on the presence of Accept: application/vnd.live-component+html, with a code comment stating that this acted as a CSRF protection.

The Accept header is a CORS-safelisted request header, so a cross-origin fetch() can set it without triggering a preflight. The header therefore provided no CSRF protection. Any #[LiveAction] could be forged cross-origin against a victim's session.

In practice the attack is mitigated by SameSite=Lax session cookies (Symfony's default), but applications using SameSite=None, credentials: 'include' with a permissive cookie policy, or that have been pivoted from another same-origin vector remained exposed.

Resolution

isLiveComponentRequest() now additionally requires the request header X-Requested-With: XMLHttpRequest. This header is not CORS-safelisted, so the browser issues a preflight OPTIONS request for any cross-origin attempt; Symfony does not advertise CORS for LiveComponent endpoints, the preflight fails, and the real request is blocked before it reaches the application. The bundled Stimulus client already sends X-Requested-With on every LiveComponent request (RequestBuilder.ts), so standard usage is unaffected. Cross-origin callers must add X-Requested-With to their CORS Access-Control-Allow-Headers allow-list.

The patch for this issue is available here for branch 2.x (and forward-ported to 3.x).

Credits

Symfony would like to thank Anthropic (via Project Glasswing) for reporting the issue and Hugo Alliaume for providing the fix.

AnalysisAI

CSRF protection bypass in symfony/ux-live-component allowed cross-origin invocation of any server-side #[LiveAction] method against an authenticated victim's session. The library incorrectly relied on the Accept: application/vnd.live-component+html header as a CSRF guard, but per the Fetch specification §3.2.2 this is a CORS-safelisted header, meaning cross-origin fetch() calls can include it without triggering a preflight OPTIONS request. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Victim loads attacker-controlled page
Delivery
Cross-origin fetch() crafted with Accept header
Exploit
Browser skips CORS preflight (safelisted header)
Execution
Server validates only Accept header, accepts request
Persist
LiveAction method executes under victim session
Impact
Unauthorized server-side state mutation

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target application runs symfony/ux-live-component >= 2.22.0,< 2.36.0 or >= 3.0.0, < 3.1.0 without the patch applied; (2) the application exposes at least one method annotated with #[LiveAction] that performs meaningful state mutation; and (3) the victim's session cookie is not protected by SameSite=Lax or SameSite=Strict - specifically, the application must use SameSite=None, or the attacker must have a same-origin foothold (e.g., stored XSS on the same domain) to bypass Lax restrictions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS score was provided by NVD or the vendor for this CVE; the assessed vector below is analyst-derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a web page containing a script that calls fetch('https://victim-app.example.com/live-component-endpoint', { method: 'POST', credentials: 'include', headers: { 'Accept': 'application/vnd.live-component+html' }, body: '...' }). If the victim browses to this page while authenticated and their session cookie is configured with SameSite=None (or the attacker controls same-origin content via XSS), the browser attaches the victim's session cookie without issuing a CORS preflight, and the server processes the forged #[LiveAction] call as if it originated legitimately from the victim's browser. …
Remediation Upgrade symfony/ux-live-component to version 2.36.0 (for 2.x installations) or 3.1.0 (for 3.x installations). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy